On Jun 11, 2015, at 15:37, Alexander Bokovoy <[email protected]> wrote: > > On Thu, 11 Jun 2015, Bobby Prins wrote: >> On Apr 7, 2015, at 13:41, Bobby Prins <[email protected]> wrote: >>> >>> >>>> On Apr 3, 2015, at 14:40, Bobby Prins <[email protected]> wrote: >>>> >>>>> ----- Oorspronkelijk bericht ----- >>>>> Van: "Alexander Bokovoy" <[email protected]> >>>>> Aan: "Bobby Prins" <[email protected]> >>>>> Cc: [email protected], [email protected] >>>>> Verzonden: Vrijdag 3 april 2015 14:26:17 >>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >>>>> ipa_server_mode >>>>> >>>>> On Fri, 03 Apr 2015, Bobby Prins wrote: >>>>>>> ----- Oorspronkelijk bericht ----- >>>>>>> Van: "Alexander Bokovoy" <[email protected]> >>>>>>> Aan: "Bobby Prins" <[email protected]> >>>>>>> Cc: [email protected], [email protected] >>>>>>> Verzonden: Vrijdag 3 april 2015 12:45:07 >>>>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >>>>>>> ipa_server_mode >>>>>>> >>>>>>> On Fri, 03 Apr 2015, Bobby Prins wrote: >>>>>>>> access: >>>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from >>>>>>>> 192.168.140.107 to 192.168.140.133 >>>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 >>>>>>>> version=3 >>>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 >>>>>>>> nentries=0 etime=0 dn="" >>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH >>>>>>>> base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 >>>>>>>> filter="(&(objectClass=posixaccount)([email protected]))" >>>>>>>> attrs=ALL >>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH >>>>>>>> base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 >>>>>>>> filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL >>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 >>>>>>>> nentries=0 etime=0 >>>>>>> Above there are two lookups: >>>>>>> >>>>>>> - successful lookup for user [email protected] >>>>>>> - unsuccessful lookup for user bprins >>>>>>> >>>>>>> What is causing to perform a lookup without @example.com? Compat tree >>>>>>> presents AD users fully qualified, it is the only way it knows to >>>>>>> trigger lookup via SSSD on IPA master for these users (because non-fully >>>>>>> qualified users are in IPA LDAP tree already and copied to compat tree >>>>>>> automatically). >>>>>> This seems to be (standard?) behaviour of the AIX LDAP client. Did some >>>>>> more tests with different accounts and always see the two lookups. I >>>>>> doubt if I can influence that.. >>>>> No, this is not standard -- I haven't seen such behavior when testing >>>>> FreeIPA with AIX last autumn. >>>>> -- >>>>> / Alexander Bokovoy >>>> OK, with the idsldap client software and an AD trust configured? This is >>>> on AIX7.1. I'm spinning up an AIX5.3 machine now for another test. Might >>>> try AIX6.1 as well. What works is creating the user object in freeIPA so >>>> the lookup succeeds. After that I can authenticate succesfully against AD. >>>> Not the solution I'm looking for though. >>> Did some tests with AIX5.3 and then I don’t run into any issues. There is >>> no lookup to be seen after entering my username on AIX5.3 (as there was on >>> AIX7.1), only the authentication request which succeeds. Will test AIX6.1 >>> later on.. >> >> AIX6.1 also worked without any problems. In the end my methods.cfg was >> causing the problems on AIX7.1. After deleting these lines authentication >> worked: >> >> KRB5: >> program = /usr/lib/security/KRB5 >> program_64 = /usr/lib/security/KRB5_64 >> options = authonly,kadmind=no >> >> KRB5LDAP: >> options = auth=KRB5,db=LDAP >> >> So my methods.cfg now looks like this: >> >> LDAP: >> program = /usr/lib/security/LDAP >> program_64 = /usr/lib/security/LDAP64 >> >> NIS: >> program = /usr/lib/security/NIS >> program_64 = /usr/lib/security/NIS_64 >> >> DCE: >> program = /usr/lib/security/DCE >> >> I was not expecting this since I was not using KRB5 or KRB5LDAP in >> /etc/security/user. Well, I’m glad I got this sorted out now :) > Great. Could you please write your configurations up somewhere so that > we can have an article on freeipa.org detailing the configs for future > users?
Yes, I will do that Alexander. Hope to have some time for that next week. > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
